North Korea-linked hackers target energy and aerospace companies in new espionage campaign

Avatar

A cyber-espionage campaign with links to North Korea is targeting companies in the energy and aerospace industries, according to new research from Mandiant.

The group behind the campaign, tracked as UNC2970, is likely linked to North Korea and overlaps with another Pyongyang-backed threat actor, TEMP.Hermit.

Researchers at the Google-owned cyber outfit uncovered UNC2970’s recent campaign in June 2024 and released their findings on Tuesday. The group was first identified in 2021 and has since targeted victims in the U.S., U.K., the Netherlands, Cyprus, Sweden, Germany, Singapore, Hong Kong and Australia.

According to the report, UNC2970 hackers engage with their victims via email and WhatsApp, posing as recruiters for prominent companies. They ultimately share a malicious archive purported to contain a job description in PDF file format.

The PDF file can only be opened with a trojanized version of the legitimate open-source document viewer, SumatraPDF, which delivers a backdoor named Mistpen via the Burnbook launcher.

Researchers noted that the hackers modified the open-source code of an older version of SumatraPDF for this campaign, and that the actual SumatraPDF service was not compromised.

UNC2970 relies on legitimate job description content to target, among others, victims employed in U.S. critical infrastructure sectors.

The Mistpen malware is a modification of a legitimate plugin for the Notepad++ open-source text and source code editor. The backdoor has been improved over time with new features and an added network connectivity check, which complicates sample analysis, researchers said.

Although Mandiant does not name the specific victims targeted in this campaign, researchers believe the hackers are likely aiming to reach senior- or manager-level employees.

“This suggests the threat actor aims to gain access to sensitive and confidential information typically restricted to higher-level employees,” researchers said. The hackers also tailor their malicious messages to better align with the victim’s profile, they added.

NewsNews BriefsNation-stateMalware
Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Daryna Antoniuk

is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.

 

Total
0
Shares
Previous Post

Company listed on Shanghai stock exchange accused of aiding Chinese cyberattacks

Next Post

FBI says it recently dismantled a second major China-linked botnet

Related Posts

South Korea Fines Meta $15.67M for Illegally Sharing Sensitive User Data with Advertisers

Meta has been fined 21.62 billion won ($15.67 million) by South Korea's data privacy watchdog for illegally collecting sensitive personal information from Facebook users, including data about their political views and sexual orientation, and sharing it with advertisers without their consent. The country's Personal Information Protection Commission (PIPC) said Meta gathered information such as
Avatar
Read More